ProFTPD-with-TLS Configuration Directives

There are only a handful of TLS related directives that can be included in the proftpd.conf
file. It is important to remember, however, that changing the values of any of these directives
will be likely to have an adverse effect on the functionality of ProFTPd on your server.

There are three TLS directives that have significant impact on the performance of your FTP server.
In addition, there are several directives that tell TLS where to look for specific files required
for TLS-based authentication.

TlsRequired

This directive tells ProFTPD if it should accept non-TLS encrypted connections. Unless you are
absolutely certain that every person who will be using FTP on your Virtual Private Server has
a TLS-capable client using one of the allowed encryption ciphers, you should not change this.

The default value for TlsRequired is off. To force TLS-encrypted connections only,
change the value to on.

TlsRequired off

TlsCertsOk

TLS uses certificates for verification similar to the way SSL uses them. Because of the potentially
prohibitive nature of obtaining a signed certificate from a trusted authority, some people will
use self-signed certificates. For Virtual Private Servers with SSL support, you can use your existing
SSL certificate or the default *.securesites.net certificate.

The default setting on the Virtual Private Server allows you to use unsigned certificates when
using FTP. To force only signed certificates, you can change the TlsCertsOk value to on.

TlsCertsOk off

TlsCipherList

The TlsCipherList directive tells ProFTPD what type of encryption to use. Depending on
your FTP client, various ciphers may or may not be supported. The following is the directive with
the default value.

TlsCipherList ALL:!EXP

Below is a segment from the README for setting the value for the TlsCipherList
directive.

How to put together a 'cipher list string':
Key Exchange Algorithms:
"kRSA" RSA key exchange
"kDHr" Diffie-Hellman key exchange (key from RSA cert)
"kDHd" Diffie-Hellman key exchange (key from DSA cert)
"kEDH' Ephemeral Diffie-Hellman key exchange (temporary key)
Authentication Algorithm:
"aNULL" No authentication
"aRSA" RSA authentication
"aDSS" DSS authentication
"aDH" Diffie-Hellman authentication
Cipher Encoding Algorithm:
"eNULL" No encodiing
"DES" DES encoding
"3DES" Triple DES encoding
"RC4" RC4 encoding
"RC2" RC2 encoding
"IDEA" IDEA encoding
MAC Digest Algorithm:
"MD5" MD5 hash function
"SHA1" SHA1 hash function
"SHA" SHA hash function (should not be used)
Aliases:
"ALL" all ciphers
"SSLv2" all SSL version 2.0 ciphers (should not be used)
"SSLv3" all SSL version 3.0 ciphers
"EXP" all export ciphers (40-bit)
"EXPORT56" all export ciphers (56-bit)
"LOW" all low strength ciphers (no export)
"MEDIUM" all ciphers with 128-bit encryption
"HIGH" all ciphers using greater than 128-bit encryption
"RSA" all ciphers using RSA key exchange
"DH" all ciphers using Diffie-Hellman key exchange
"EDH" all ciphers using Ephemeral Diffie-Hellman key exchange
"ADH" all ciphers using Anonymous Diffie-Hellman key exchange
"DSS" all ciphers using DSS authentication
"NULL" all ciphers using no encryption
Each item in the list may include a prefix modifier:
"+" move cipher(s) to the current location in the list
"-" remove cipher(s) from the list (may be added again by
a subsequent list entry)
"!" kill cipher from the list (it may not be added again
by a subsequent list entry)
If no modifier is specified the entry is added to the list at the current
position. "+" may also be used to combine tags to specify entries such as
"RSA+RC4" describes all ciphers that use both RSA and RC4.
For example, all available ciphers not including ADH key exchange:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
All algorithms including ADH and export but excluding patented algorithms:
HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA
The OpenSSL command
openssl ciphers -v list of ciphers
may be used to list all of the ciphers and the order described by a specific
list of ciphers.

Other TLS Directives

There are some other directives that tell ProFTPD what files to check for secure certificates.
You are not likely to need to change any of these values. The following shows the certificate
file related directives with their default values.

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!